Recorded at:

Bio Rob Winch is currently a Senior Software Engineer at VMware and is the project lead of Spring Security framework. In the past he has worked as a Software Architect at Cerner, the largest provider of electronic medical systems in the US, securing health care applications. Throughout his career he has developed hands on experience integrating Spring Security with an array of security standards.

Sponsored Content

Software is changing the world; QCon aims to empower software development by facilitating the spread of knowledge and innovation in the enterprise software development community; to achieve this, QCon is organized as a practitioner-driven conference designed for people influencing innovation in their teams: team leads, architects, project managers, engineering directors.

Sure; it started because I use Spring Security in my everyday life quite frequently and one of the things that’s really easy to get involved is some of the lower ticket items; so you can start answering questions on the Forums and that’s very helpful because it allows the developers to focus more on the code; and then as you grow, as you get more popularity, better understanding of what’s going on, you can start taking on small JIRAs, you know fixing small bugs, documentation and basically if you gradually grow, you’ll become recognized and hopefully become part of the team if you’re submitting good contributions; just make sure that you look over the code and review it very well before you submit it.

Well in terms of functionality, one of the main goals of the multi-tenancy is to be able to deploy once and support multiple tenants so that will reduce your cost by quite a bit; however the complexity can be quite involved; we only talked about some of the aspects of security in terms of application; there’s a lot of other concerns that you need to address but in terms of application security, you want to make sure that your data store is separated similar to how we talked about so that you know where, which data belongs to which user and you also need to make sure that your application is aware of which data is being requested; and providing a way of mapping each of those in a clean abstraction is very important so that you can swap them out later if necessary.

In terms of security by separating your data, that is a form of security because it’s isolating the data; so if one tenant gets broken into, then another one is not broken into; but you also want to make sure that you scope all of your permissions and access control to you particular tenant and the user; so don’t just pay attention to the user but make sure that you’re paying attention to the tenants as well and that is one of the other things that we focused on towards the end of the presentation.

As you mentioned, the multi-tenancy is becoming quite popular now-a-days and I’m probably only able to answer the question in terms of application; like I said there’s a lot more aspects to it than just the application though; but Hibernate and some of the other ORM tools are quite mature in this respect because they’ve had the support out there for quite some time; but in terms of some of the platform layer multi-tenancy, I’m probably not the best person to talk to on that.

Well I think one of the main points of the presentation kind of emphasizes this but we can kind of hit it hard here and it really amounts to making sure that the rest of your application is coded in a way that is not aware of the multi-tenancy; because that complication you don’t want to spread it throughout the rest of your application; so you want to try to isolate and centralize that logic as much as possible; and we are able to utilize things like Aspect Oriented Programming in order to help control that and dependency injection as well really helps.

Sure; Spring Security 3.1 has been out for a little bit now but some of the new features are multiple HTTP blocks and what that allows the developer to do is isolate what is happening for a particular set of URLS; so for example you might have one type of authentication for a certain set of URLs and another for another; this comes in handy when you have an application that’s supporting something like OAuth, you could basically use a Request Matcher which is part of the APIs to say that anything that matches a JSON request is going to use OAuth and anything else is going to use a Form based login and this is nice because if the user is not authenticated, you’re going to need to present them with some way of handling the fact that they’re not authenticated; one way is the username password would be displaying is a login form but you handle it totally different if you’re using something like OAuth you would send that HTTP status code back to the client.

So right now OAuth and the Spring Security OAuth extension is fairly solidified; it’s kind of waiting for the OAuth specification to be released but the spec seems to be kind of just fine tuning things at the moment. So it’s fairly mature but at the moment it’s kind of holding off until things are solidified; but one thing I should emphasize is I’m not the lead of the OAuth extension so probably not the overall authority on that response.

Well to be honest, I’m not all the familiar with what support they’re planning on adding, but one of the things that Spring kind of tends to do is it will integrate. As we show in the presentation, we are able to support something that was not directly supported with Spring Security; we added these extensions ourselves and so what that shows is that Spring Security is rather flexible and powerful and even if there is a standard that is developed that it kind of overlaps with some of that functionality it will play, it will most likely play nicely with that new standard and complement it because larger standard bodies tend to move a lot slower than something like the Spring Framework and that’s one of the things that’s nice about it is it kind of stays ahead of the curve.

Well in terms of multi-tenancy, I don’t know that there’s any trends going on in there; I think it’s just going to continue to grow; one of the things that will probably be beneficial is supporting more types of ORMs (ORM tools) in terms of the NoSQL but I’m not really an expert in some of the NoSQL databases so they may already have support for it.

Well some of the things that are planned for the near future are probably more bug enhancements, but after that we’re going to look to try to – the current plan is to look to get more in line with some of the standard Spring stuff; so for example we hope to come up with a Java Config that complements the Java Config of standard Spring; that’s one of our more requested features and we struggle with that because the configuration of Spring Security is a lot more vast than some of the other configurations. There’s been approach using Scala beforehand by Luke, the former lead of Spring Security but some people are not able to adapt Scala so we hope to be able to add some support for Java config there.

Another thing that would be nice to add is some support for multi-factor authentication and mutual authentication so instead of just authenticating the user when the user types a username and they might enter one factor of authentication like a security question and then after the security question is answered then it presents an image and some phrase to the users so that they know that it’s safe to enter their password itself and then things like integrating with something like Google Authenticator would also be nice; so those are some of the things that we hope to support. Another thing hopefully is Servlet Async support which was recently added to the Spring MVC project. So those are some of the things that I have planned for the future; how soon that is is yet to be determined.

Srini : Right. The asynchronous nature for the servlets will definitely bring a lot of new challenges in the security space.

Well I read quite a bit of books but the most recent one that I’ve been reading is kind of non-security related. I really like the Signature Series by Rod Johnson and I’m reading the Continuous Delivery book and it’s really interesting in some of the insights that it provides; so I really like that aspect.

Srini : Yes, it’s a good book. I read that too; Jez Humble is one of the authors. It’s from John Wiley Publishers. Thanks for your time.

InfoQ Weekly Newsletter

Join a community of over 250 K senior developers by signing up for our newsletter. If you are based in the EEA, please contact us so we can provide you with the protections afforded to you under EEA protection laws.

Is your profile up-to-date? Please take a moment to review and update.

Email Address

Note: If updating/changing your email, a validation request will be sent

Company name:

Keep current company name

Update Company name to:

Company role:

Keep current company role

Update company role to:

Company size:

Keep current company Size

Update company size to:

Country/Zone:

Keep current country/zone

Update country/zone to:

State/Province/Region:

Keep current state/province/region

Update state/province/region to:

Subscribe to our newsletter?

Subscribe to our architect newsletter?

Subscribe to our industry email notices?

By subscribing to this email, we may send you content based on your previous topic interests. See our privacy notice for details.

You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.

We notice you're using an ad blocker

We understand why you use ad blockers. However to keep InfoQ free we need your support. InfoQ will not provide your data to third parties without individual opt-in consent. We only work with advertisers relevant to our readers. Please consider whitelisting us.